"I don't think the report is true, but these crises work for those who want to make fights between people." Kulam Dastagir, 28, a bird seller in Afghanistan

Closing the cyber security threat intelligence gap - SC Magazine

Topic: Miscellaneous

7:18 am EST, Feb 19, 2014

It's no secret that one of the effects of the Edward Snowden revelations has been a slowdown in the effort to pass new cyber security legislation that facilitates information sharing between the government and the private sector. However, the need for cyber threat intelligence sharing is still vital, and with Congress sidelined, it's going to take leadership from the nation's corporate executives to make progress on this issue within the framework of our current laws.

This Techdirt article on Walton's implementation of Obama's NSA reforms is worth a read.

Walton seems resistant to turning the court into an oversight entity, which it really isn't. That's supposed to be the legislative branch's role, but that has been undermined by cheerleaders masquerading as overseers who have withheld information from their fellow legislators. Walton also may not trust the agency enough at this point to feel comfortable approving RAS requests.

We learned last week that the court—and to my eye quite unsurprisingly—had granted the Department of Justice’s request to tweak minimization procedures applicable to the 215 program, among other things by having the FISC pre-approve the NSA’s determinations of “reasonable and articulable suspicion” (“RAS”).

This reform is probably the most important result of the meta-data debate.

If the corporations are storing the data already—for some business purpose—then the answer is easy: Only they should store it. If the corporations are not already storing the data, then—on balance—it's safer for the NSA to store the data. And in many cases, the right answer is for no one to store the data. It should be deleted because keeping it makes us all less secure.

Bruce Schneier's analysis of whether or not the NSA should store collected meta-data is correct and worth reading.

Jameel Jaffer, an A.C.L.U. attorney who argued against Mr. Verrilli in the Supreme Court, contended that the representatives of the Justice Department were “tying themselves up in knots in order to gloss over what was plainly a misrepresentation.”

He added: “The government told the Supreme Court that it was complying with the notice requirement, but it neglected to mention that it was construing the notice requirement so narrowly that defendants who were entitled to notice weren’t receiving it.”

A federal court in Ohio has ruled that individuals whose data was stolen by criminals in a data breach have no standing to sue the company that lost control of their data unless they can prove that the criminals actually used the data maliciously. The court reached this conclusion by relying on a Supreme Court ruling over NSA surveillance. The ruling brings into focus the potential unintended consequences of the government's legal strategy on NSA surveillance.

Its no secret that many of the NSA's surveillance programs were started long before their current legal justifications were created. In attempting to defend the legality of these programs, the NSA's defenders have articulated interpretations of the law that draw broad circles around this kind of activity, and the judiciary has upheld these broad interpretations rather that rule against the NSA.

One of the ways that the judiciary has sought to shield the NSA from legal challenges is by arguing that individual citizens do not have standing to challenge the legality of NSA programs unless they can prove that their personal data was accessed inappropriately. This court in Ohio applied that same logic to a different set of circumstances - where the data wasn't held by the NSA, but by a criminal organization. What makes sense in one context ought to apply in other contexts.

This sort of follow on consequence may occur in other ways as well. With respect to the domestic meta-data surveillance program, the NSA's defenders have argued that there are no Fourth Amendment or First Amendment implications, and that the surveillance was authorized by Section 215 of the Patriot Act. If this interpretation is true, than Section 215 of the Patriot Act also authorizes the mass collection of any other kind of business record. Furthermore, if there are absolutely no constitutional implications, than the government can authorize by statute the mass collection of business records for other purposes as well, such as everyday law enforcement. Also, state and local governments can follow suit and operate their own local mass surveillance programs that target their citizens.

The judiciary needs to pay closer attention to these issues in handing down rulings that authorize far more than they intend. For more about the Ohio ruling, click this link:

Is the impact of meta-data surveillance on citizens really insignificant?

Topic: Miscellaneous

3:08 pm EST, Feb 14, 2014

Rob Graham posted some insightful thoughts on his blog regarding why he is opposed to meta-data surveillance by the NSA. I mostly agree with his sentiment, but I had to challenge him on one point. He wrote:

The issue that is important to me is the same sort of issue that provoked the Boston Tea Party of 1773. Britain had repealed the onerous taxes, all except the insignificant tax on tea. The reason the colonists rebelled was not because of the amount of money, which was tiny, but because "taxation without representation" was an intolerable philosophical idea. It meant that the colonists were "subjects" to be exploited by Britain, and not "free citizens" of the realm.

The same thing is true here with the Section 215 collection of phone records. In truth, the impact on citizens is insignificant and there are extensive safeguards to prevent this from being abused. None of that matters to me, as it's still surveillance of innocent citizens suspecedt of no crime. It subjugates us, and is an intolerable infringement on a free person's rights.

Is the impact on citizens really insignificant?

First, I'm not sure that the claim that there are "extensive safeguards" is credible. For years we've been told that they weren't collecting meta-data at all. Now we're being told that meta-data is being collected, but there are extensive safeguards. If the first claim was false, why does the second claim have credibility? By whose standards are the safeguards considered "extensive?"

Second, I'm not sure that the claim that they're only collecting meta-data is credible. The Wall Street Journal reported that the content of all email and text messages sent in the Salt Lake City area during the 2002 Winter Olympic Games was monitored. That is not meta-data and none of the legal arguments about meta-data apply to it. Are they still collecting content now? If they denied doing so, would those denials be credible?

Third, I'm not sure that meta-data collection has an insignificant impact on citizens. Everytime you call someone, the government has a record. That record is kept. They claim that they only keep it for five years, but that could be a lie, or the record retention time could change at any point during that five year period into a longer retention time, and that change could occur without any public announcement. If, for any reason in the future, the person you are contacting comes under suspicion, either by this government, or by a future government that is more aggressive than this one, you are better off not making that call. If the person you are contacting is either a political activist or a criminal of any sort, your association with them could lead to assumptions being made about you by the authorities. Maybe the current restrictions make it unlikely that this association would be observed by the authorities, but if the rules for accessing the data change in the future, you won't get the opportunity to go back and delete the record. Therefore, reasonable people may choose to limit the exercise of their right to freedom of association as a consequence of meta-data retention.

Concluding that the impact on associational liberty is insignificant understates the importance of a fundamental Constitutional right.

I am writing to tell you that as a constituent, I will not be voting for any candidate who supports mass surveillance of Americans. This country's leadership has lost all credibility on this issue. The telecom companies issued dishonest statements to the public in 2006 about meta-data collection. The President of the United States ostensibly ran for office on a platform that included curtailing warrantless surveillance but has allowed these programs to continue in secret. The Director of National Intelligence lied under oath about the issue in an open Senate hearing and nothing has been done. The Wall Street Journal reported that the content of all email and text messages sent in the Salt Lake City area during the 2002 Winter Olympic Games was collected and monitored. Is this sort of domestic content monitoring still going on? Its impossible to say. Even if the country's leadership denied it, denials could not be taken seriously under these circumstances. Your responsibility is to the American people, not to the intelligence community.

I'm really getting sick of the rationalizations of the surveillance state.

In judging the action of whistle-blowers, three criteria apply. They must have clear and convincing evidence of abuse. Publishing the information must not pose a disproportionate threat to public safety. And the leak must be as limited in scope and scale as possible. Snowden failed all three of these tests.

The documents published thus far do not depict a rogue agency. They indicate—with partial, out-of-date and ambiguous evidence, mostly consisting of out-of-context presentation slides—that the NSA has plenty of flaws. How could it not? Like other government agencies and bureaucracies, it pushes the limits of its regulatory, political and judicial constraints. That is not surprising. Like people everywhere, NSA officials brag. They make mistakes (and get disciplined for them). Again, not too surprising.

To justify even a limited breach of secrecy, Snowden would need to prove something far more: evidence of systematic, gross wrongdoing, based on wilful contempt for judicial, legislative and political oversight. In such circumstances, the actions of a Daniel Ellsberg can be justified.

But nothing published by Snowden shows that. The NSA revealed in these documents looks nothing like J. Edgar Hoover’s FBI. And Barack Obama, for all his faults, is not Richard Nixon, using the power of the state to go after his domestic enemies. On the contrary: The United States has put the most elusive and lawless part of government—intelligence—into the strongest system of legislative and judicial control anywhere in the world. Some want it still stronger (I think it’s too cumbersome and intrusive). But such questions are for the political process to settle. They do not justify catastrophic and destructive leaking.

The Snowdenistas’ second line of defense is that they have at least sparked a debate. But a public discussion, and limited reforms, on issues such as the use of National Security Letters (secret FBI orders to force people and businesses to cooperate with law enforcement), the privacy risks of warehousing metadata and whether “zero-day” exploits (vulnerabilities in computer hardware and software) should be instantly patched or exploited for espionage—are limited benefits, not overwhelming ones. They do not justify catastrophic damage either. The question of whether we house telephone metadata at the NSA or house it at tech companies is not exactly the difference between tyranny and freedom.

Edward Lucas tells us that a public discussion about this totally unprecedented mass domestic electronic surveillance program is of "limited benefit." Well, he is entitled to his own opinion, but as this country is supposedly a democracy, most Americans also feel entitled to their opinions about major domestic public policy issues, and that would be impossible if not for the fact of... [ Read More (0.3k in body) ]